Re: [CODE4LIB] yaml/xml/json, POST data, bloodcurdling terror

2015-12-21 Thread Chris Moschini 
Well, if you mean "terrified" as in "Ought to learn about security and
input sanitization," I agree. If you mean it as in "should never use
json/xml," then I disagree. JSON is a great way to store and move data,
especially on the web.

To summarize the security part for those new to it: Any time user-submitted
data passes to you, you need to clean it. Otherwise it might include nasty
code that injects itself in your database, in your code, in visitor's
webpages that view it, steals cookies and pretends to be someone else, runs
an fake-clicking service, etc. If you can't ensure you can properly clean
it, for example because arbitrary HTML or Javascript is the intended input
you're gathering, then you need to sandbox it whenever it's presented, like
jsfiddle.net does.

Re: [CODE4LIB] yaml/xml/json, POST data, bloodcurdling terror

2015-12-19 Thread Andromeda Yelton 
I considered leaving json out of the subject line on the grounds that it's
less terrifying, but I figured anyone accepting and parsing user data in
any format who didn't already know this stuff could benefit from hearing
about it. Didn't want people to rule themselves out because "oh, I don't do
yaml or xml". The biggest security vulnerability is the one you don't know
about yet, right?

On Fri, Dec 18, 2015 at 12:48 PM, Eric Phetteplace 
wrote:

> Agreed, I thought the JSON criticism was a bit of stretch. It's hilarious
> that json.org, *created by Douglas Crockford*, mentions using eval() as a
> JSON parser, though.
>
> Best,
> Eric
>
> On Thu, Dec 17, 2015 at 8:42 PM, Brian Hoffman 
> wrote:
>
> > Thanks, this was interesting. But the JSON segment is a little less than
> > terrifying as it’s predicated on the misuse of eval(), which is commonly
> > and easily avoided.
> >
> >
> > > On Dec 17, 2015, at 11:00 PM, CODE4LIB automatic digest system <
> > lists...@listserv.nd.edu> wrote:
> > >
> > >
> > > Date:Thu, 17 Dec 2015 09:22:07 -0500
> > > From:Andromeda Yelton  andromeda.yel...@gmail.com>>
> > > Subject: yaml/xml/json, POST data, bloodcurdling terror
> > >
> > > I strongly recommend this hilarious, terrifying PyCon talk about
> > > vulnerabilities in yaml, xml, and json processing:
> > > https://www.youtube.com/watch?v=kjZHjvrAS74 <
> > https://www.youtube.com/watch?v=kjZHjvrAS74>
> > >
> > > If you process user-submitted data in these formats and don't yet know
> > why
> > > you should be flatly terrified, please watch this ASAP; it's
> > illuminating.
> > > If you *do* know why you should be terrified, watch it anyway and
> giggle
> > > along in knowing recognition, because the talk is really very funny.
> > >
> > > --
> > > Andromeda Yelton
> > > Board of Directors, Library & Information Technology Association:
> > > http://www.lita.org 
> > > http://andromedayelton.com 
> > > @ThatAndromeda  > http://twitter.com/ThatAndromeda>>
> >
>



-- 
Andromeda Yelton
Board of Directors, Library & Information Technology Association:
http://www.lita.org
http://andromedayelton.com
@ThatAndromeda

Re: [CODE4LIB] yaml/xml/json, POST data, bloodcurdling terror

2015-12-18 Thread Katherine N. Deibel 
It doesn't help that plenty of tutorials, like W3Schools, mention eval() 
without any qualifications about the security risks.



Kate Deibel, PhD | Web Applications Specialist
Information Technology Services
University of Washington Libraries
http://staff.washington.edu/deibel

--

"When Thor shows up, it's always deus ex machina."

On 12/18/2015 9:48 AM, Eric Phetteplace wrote:

Agreed, I thought the JSON criticism was a bit of stretch. It's hilarious
that json.org, *created by Douglas Crockford*, mentions using eval() as a
JSON parser, though.

Best,
Eric

On Thu, Dec 17, 2015 at 8:42 PM, Brian Hoffman 
wrote:


Thanks, this was interesting. But the JSON segment is a little less than
terrifying as it’s predicated on the misuse of eval(), which is commonly
and easily avoided.



On Dec 17, 2015, at 11:00 PM, CODE4LIB automatic digest system <

lists...@listserv.nd.edu> wrote:



Date:Thu, 17 Dec 2015 09:22:07 -0500
From:Andromeda Yelton >

Subject: yaml/xml/json, POST data, bloodcurdling terror

I strongly recommend this hilarious, terrifying PyCon talk about
vulnerabilities in yaml, xml, and json processing:
https://www.youtube.com/watch?v=kjZHjvrAS74 <

https://www.youtube.com/watch?v=kjZHjvrAS74>


If you process user-submitted data in these formats and don't yet know

why

you should be flatly terrified, please watch this ASAP; it's

illuminating.

If you *do* know why you should be terrified, watch it anyway and giggle
along in knowing recognition, because the talk is really very funny.

--
Andromeda Yelton
Board of Directors, Library & Information Technology Association:
http://www.lita.org 
http://andromedayelton.com 
@ThatAndromeda >

Re: [CODE4LIB] yaml/xml/json, POST data, bloodcurdling terror

2015-12-18 Thread Eric Phetteplace 
Agreed, I thought the JSON criticism was a bit of stretch. It's hilarious
that json.org, *created by Douglas Crockford*, mentions using eval() as a
JSON parser, though.

Best,
Eric

On Thu, Dec 17, 2015 at 8:42 PM, Brian Hoffman 
wrote:

> Thanks, this was interesting. But the JSON segment is a little less than
> terrifying as it’s predicated on the misuse of eval(), which is commonly
> and easily avoided.
>
>
> > On Dec 17, 2015, at 11:00 PM, CODE4LIB automatic digest system <
> lists...@listserv.nd.edu> wrote:
> >
> >
> > Date:Thu, 17 Dec 2015 09:22:07 -0500
> > From:Andromeda Yelton >
> > Subject: yaml/xml/json, POST data, bloodcurdling terror
> >
> > I strongly recommend this hilarious, terrifying PyCon talk about
> > vulnerabilities in yaml, xml, and json processing:
> > https://www.youtube.com/watch?v=kjZHjvrAS74 <
> https://www.youtube.com/watch?v=kjZHjvrAS74>
> >
> > If you process user-submitted data in these formats and don't yet know
> why
> > you should be flatly terrified, please watch this ASAP; it's
> illuminating.
> > If you *do* know why you should be terrified, watch it anyway and giggle
> > along in knowing recognition, because the talk is really very funny.
> >
> > --
> > Andromeda Yelton
> > Board of Directors, Library & Information Technology Association:
> > http://www.lita.org 
> > http://andromedayelton.com 
> > @ThatAndromeda  http://twitter.com/ThatAndromeda>>
>

[CODE4LIB] yaml/xml/json, POST data, bloodcurdling terror

2015-12-17 Thread Andromeda Yelton 
I strongly recommend this hilarious, terrifying PyCon talk about
vulnerabilities in yaml, xml, and json processing:
https://www.youtube.com/watch?v=kjZHjvrAS74

If you process user-submitted data in these formats and don't yet know why
you should be flatly terrified, please watch this ASAP; it's illuminating.
If you *do* know why you should be terrified, watch it anyway and giggle
along in knowing recognition, because the talk is really very funny.

-- 
Andromeda Yelton
Board of Directors, Library & Information Technology Association:
http://www.lita.org
http://andromedayelton.com
@ThatAndromeda

Re: [CODE4LIB] yaml/xml/json, POST data, bloodcurdling terror

2015-12-17 Thread David Mayo 
Thanks! That's really solid.  I just spent $EMBARRASSINGLY_LONG_TIME
figuring out how to turn off half of Saxon's XML parsing functionality for
some of these reasons.

On Thu, Dec 17, 2015 at 9:22 AM, Andromeda Yelton <
andromeda.yel...@gmail.com> wrote:

> I strongly recommend this hilarious, terrifying PyCon talk about
> vulnerabilities in yaml, xml, and json processing:
> https://www.youtube.com/watch?v=kjZHjvrAS74
>
> If you process user-submitted data in these formats and don't yet know why
> you should be flatly terrified, please watch this ASAP; it's illuminating.
> If you *do* know why you should be terrified, watch it anyway and giggle
> along in knowing recognition, because the talk is really very funny.
>
> --
> Andromeda Yelton
> Board of Directors, Library & Information Technology Association:
> http://www.lita.org
> http://andromedayelton.com
> @ThatAndromeda 
>

Re: [CODE4LIB] yaml/xml/json, POST data, bloodcurdling terror

2015-12-17 Thread Eric Lease Morgan 
On Dec 17, 2015, at 8:22 AM, Andromeda Yelton  
wrote:

> I strongly recommend this hilarious, terrifying PyCon talk about
> vulnerabilities in yaml, xml, and json processing:
> 
>   https://www.youtube.com/watch?v=kjZHjvrAS74
> 
> If you process user-submitted data in these formats and don't yet know why
> you should be flatly terrified, please watch this ASAP; it's illuminating.
> If you *do* know why you should be terrified, watch it anyway and giggle
> along in knowing recognition, because the talk is really very funny.


Obviously, the sorts of things outlined in the presentation above are real, and 
they are really scary. Us developers need to take note: getting input from the 
‘Net can be a really bad thing. —Eric Lease Morgan

[CODE4LIB] yaml/xml/json, POST data, bloodcurdling terror

2015-12-17 Thread Brian Hoffman 
Thanks, this was interesting. But the JSON segment is a little less than 
terrifying as it’s predicated on the misuse of eval(), which is commonly and 
easily avoided. 

 
> On Dec 17, 2015, at 11:00 PM, CODE4LIB automatic digest system 
>  wrote:
> 
> 
> Date:Thu, 17 Dec 2015 09:22:07 -0500
> From:Andromeda Yelton  >
> Subject: yaml/xml/json, POST data, bloodcurdling terror
> 
> I strongly recommend this hilarious, terrifying PyCon talk about
> vulnerabilities in yaml, xml, and json processing:
> https://www.youtube.com/watch?v=kjZHjvrAS74 
> 
> 
> If you process user-submitted data in these formats and don't yet know why
> you should be flatly terrified, please watch this ASAP; it's illuminating.
> If you *do* know why you should be terrified, watch it anyway and giggle
> along in knowing recognition, because the talk is really very funny.
> 
> -- 
> Andromeda Yelton
> Board of Directors, Library & Information Technology Association:
> http://www.lita.org 
> http://andromedayelton.com 
> @ThatAndromeda  >